After the ordeal of losing my account for 5 days to a hacker who used it to scam others... only to unexpectedly regain control of my account again yesterday, thanks to the awesome human side of Steemit Inc who despite their decentralised system were able to send me an email with a link which permitted me to get back in and change my password... I have learned many things.
Since getting my account back I have changed the password twice already. And it will be changed regularly from now on.
This whole experience has made not only me, but the entire Steemit community & system behind it STRONGER as a result.
To learn more about exactly what happened and how to avoid falling for their trap... read my post HERE
Over the course of five days I watched my account go from this
to this
to this
to this
It was not easy seeing this happening, knowing that I had brought it upon myself by making a silly mistake when I was very tired and under pressure to catch a flight.
Clearly I won't be making this mistake again.
When the dust settled I decided to open a dialogue with the owner of the account which scammed & hacked me @accounttransfers using the same system he was using, by sending 0.001 SBD to his wallet with the memo as my message.
I felt instinctively drawn towards thanking him
because in this moment I am genuinely grateful for what has happened.
A bot has now been created by @arcange to warn people when they are being scammed, using this same wallet message system.
The Steemit community has been made more aware of this type of scam and will be vigilant now. Assuming they take the time to read other peoples' posts... which clearly we must! Over 1000 people have read my article on this subject in the 48h since I posted it SEE HERE
The wording of the steemit account creation process is clear that the email address will be required if your account is ever compromised.
14 months ago when I joined Steemit, the wording was different and I set up a new email account with random name and random password, exclusively for the purpose of confirming this Steemit account... and I never used this email account again.
When my Steemit account was compromised I was unable to remember any details of this email despite my best efforts, making the standard account recovery process impossible for me.
One important fact has been made crystal clear for me as a result of this (thanks to @firepower):
If I use the posting key to log in and the active key when transferring funds, this keeps the master key offline as much as possible. And ultimately makes the account safer.
Please contact me in the comments below if you are in any way confused about how to access your active & posting keys.
USE STEEM POWER TO PROTECT YOU!
Steemit has been designed in a very clever way... to protect us.
The hacker was unable to take anything from me because it was all held as STEEM POWER.
The first STEEM payment comes 7 days after hitting power down. Which gave me enough time to resolve this before he could take anything.
In truth there were a few SBD in my wallet which he used to spam people with. But at 0.001 SBD per spam, this didn't cost me much.
So, the moral of the story is this...
Don't keep STEEM or SBD sitting idle in your wallet.
If you have STEEM and you don't intend to sell it for BTC, power it up now!
If you have SBD, sell it for BTC on an exchange of your choice and if you're wanting to power it up, you should sell the BTC for STEEM, transferring it back to your wallet before powering it up.
To clarify...
Hit the down arrow next to your SBD total and you will see this
CONVERT TO STEEM is a fast and easy option but you will not be getting the best rate of exchange. Hence my suggestion to use an exchange/market of your choice.
Each exchange varies slightly, so if you're really keen, have a check around for the best rates. You can see above that Steemit offers a market of it's own which would be the first place to check.
What was my conversation with @accounttransfers?
I sent him a little gratitude as you can see here... and a suggestion which I genuinely believe would help him.
his response was this
He clearly doesn't have access to my account but after a little research I understood better what he was saying and how this was achieved.
Consequently, I strongly suggest you all change your passwords now.
I didn't respond to his comment as I didn't feel like there was much more to say at that point! His implication that I am stealing your donations for the evacuees of Bali is laughable, given the visibility of our wallets. And you can be sure that I will document the entire journey from STEEM to solar products & water filters, photographing the smiles on their faces when they are handed over to them 😄
After not responding, he messaged me again with the following words
Well isn't that lovely of him. Good to know we are mates now!
In truth I have nothing against him, as is my way. I cannot know his experience of this world and do not judge him. However, I am still curious to know his motivations.
So @accounttransfers if you are reading this...
Perhaps you would like to leave a comment below explaining to the community why you are doing this?
Please understand that you are in one of the most loving and open-minded communities on the internet, and if you tell us your perspective we may even come to understand & support you.
Especially if you put on the WHITE HAT and use your skills to improve the security of this platform. I have seen others achieve huge pay-outs doing exactly this.
Looking forward to your response :)
Sam
Over & out for now...
Hacking code gif source. The STEEM MATRIX gif was created by me and you are all welcome to use it as you please.
Glad you got this sorted out, whilst educating the rest of us with what you've learned through experience. Upvote earned!
Thank you for your support! Indeed, valuable lessons learned by all. And we are stronger as a result :)
For those of you feeling like you need a better understanding of how Steem keys (ie Passwords) work, you should check out this post by @dragosroua
The threats made by the hackers to have claimed 7000 passwords should not scare you either. They don't need to try and attack Steemit.com to gather passwords when the Steem blockchain itself is public knowledge.
Anyone can attempt attacks on the blockchain to uncover private keys, that's why your keys are a crazy long number that you don't get to pick on your own.
They're that long and inmemorable so that they are extremely hard to crack. We're talking millenia at this point in our technological state to just crack one. So the claim that they've now compromised 7000 accounts as part of the recent ddos attacks is laughable.
The only way that any hacker is going to get access to your account is if you actually give them your key. That's why it is so important to make absolutely sure you know what site you are on whenever you are using your active or owner key.
Wow! Great info here. Thank you. I am still learning so much every day thanks to people like yourself 🙏🏻
Happy to help my friend. I was so glad to see that you were able to get your account back. Also very glad to see you kept your Steem powered up. That's definitely another huge boon for the Steem blockchain that makes it stand out against the others. It's a killer feature to be able to protect your assets from being instantly withdrawn in cases just like this.
PS- I'm still looking forward to the video where you show us how to make a spinning staff like yours and some initial steps to get spinning in the right direction :)
If anyone's interested, I did a follow up post that gives a better picture on the kind of time frame we're talking to actually try to hack your private key. How Long Would it Take to Hack Your Steem Password
Thanks for sharing the other post. It was appropriate and very helpful! I posted a long reply over there too to further dig into this key issue and how best to share account security tips with new people.
Definitely, he did a great job with that post and the more people that see it the better. It really is one of the trickier things for new folks to understand especially when this is usually their first interaction with any kind of blockchain.
I have the same philosophy. It's always easy to hold but it's the one that make the most sense in my opinion.
It is a sound philosophy, just difficult to implement in the moment when the heart-rate is high.
Labels like good and bad are always perspective based. Makes me think of something Esther Hicks said to demonstrate this. Upon seeing her cat eating a bird she shouted "BAD CAT!" and the cat replied, "Good bird!"
Same event. Opposite perspectives. And who is to say which one is right or wrong?
But.... if he's actually stealing people's money, then it's a bad thing. Hasn't actual money been stolen from people from these hacks? Theft is a serious issue and should not go unpunished.
yeh hes just pushing buttons at the end of the day, pushing buttons on a computer and typing and clicking, makes you wonder, since theres no actual physical violence in this sort of theft and the Op actually gave away his money when he gave away his master key... what if someone sels their steemit account for bitcoin and then does a account recovery? Hmm lots of problems we should probably trouble shoot and think out before they happen in real life! anyway yeah what if this hacker is super poor and literally has no other way to make money?
The "hacker" (and we shouldnt give them that mantle as they did not create anything special here just a lame phishing attack, more of a scammer) seems young and wa sled to beliueve maybe that theyu wouldnt be able to make much money in their world unless they sold drugs or something so this is his way to make money without a risk of going to jail or getting hurt, or so he thinks, but someone will easily track him down one day and he will get hurt, because the world is not like it was with identity theft and peopel will hire other black hats to track them down and its crazy the drknet markets have people ready to offer any service for money ! Which didnt exist before you couldnt offer service sonline for money because there was no safe way to actually accept or make payments online but now with crypto that's been taken care of, using Monero........ but npow people can actually pay to track peopel down etc
Anyway this hacker is funny,ghe tried to act like he "gave the account back" to be nice or osmething so funny
but yeah you being open minded about this will earn u many followers
ALSO im GLAD This came up to help steemut users have better secuirity AND to remind people not to fall for this stuff since steemit dioesnt use messages like that for any important things ! ive been WONDERING about account recovery and ALSO its a REMINDER for all of us to change our passwords often and to keep our private key master keys very safe and backed up in multiple physicl places etc
Alright thanks again for the posts VERY happy you got your account back!
I bet your partner is relieved lol you were like "She will forgive me in time" dounded bad lol glad youre back in business! I hope youve learned your lesson about keeping all your money in ONE wallet, i hope you now have some money in Bitcoin in a wallet on ur smartphone or laptop liek Exodus and backed up multiple times...OR just use openledger,io to keep some BTC and maybe u should also just use ur secondary steemit account u started using for a lil while there, hey u should use that one putsoem SP nit and use it as a backup! always good to have anothr steemit account with some Steempower and money in it JUST in case!
The "Transfer To Savings" is where you are supposed to move Steem or Steem Dollars that you intend to hold for a while. It takes 3.5 days to get those out of savings, and what I understood was that this was supposed to be enough time to recover your account if you need to.
But it appears that 3.5 days just isn't long enough in many cases.
Thanks for sharing your whole experience and what you have learned with everybody.
This is true. Keep the majority of your money in SP then. I only keep SBD and Savings when I know that money will be needed in the near future to pay for some service or give to some charity. Right now I have almost 1K in it, but it is because I'm preparing to pay a large bill in the near future. :) Otherwise, I would never have that much in SBD.
Good point. Though as you say 3.5 days may not be long enough. It wouldn't have been long enough in my case... though this was a slightly different situation to the norm. Assuming everyone else has access to the email with which they set up their account.
Thanks as always for your support & encouragement 🙏🏻
It looks like he had a few other responses that were missed as well. At this point, I don't know that he/she/they could ever be trusted as a white hat, especially as that is what they are claiming to be now.
Thanks! I hadn't thought to include the message in the @samstonehilltube acc. There is a certain irony to a scammer calling me a scammer.
As I have said, the wallets are visible to all and one only has to look in the @charitysteemit wallet to see their donations. When the donations are moved from this account, shortly after this I will do a post showing exactly what was bought. How is this a scam???
Anyway. Clearly an unhappy individual, whatever hat he claims to be wearing.
Hope he take my advice and starts mediating regularly.
Yeah, it seems like he is claiming that you gained a lot of upvotes from the ordeal, which might be true, but I would not say that you are notunder any obligation to return any funds gained from voluntary interaction such as upvoting and voluntary transfers.
If you can, try to keep up the conversation with him. I think you may be the right type of person for the job. I can come up with some questions.
Here are some:
Since you are a white hat, would you mind telling the type of target you were after?
How many accounts have you created on Steemit with the intention of of using them as a platform to lure victims?
How long do you post and resteem under these accounts in order to establish their legitimacy?
Can you give us some examples of the different types of attacks you carry out from your accounts?
For the spoofed website which you got me with, what are some good pointers that users should look out for in order to ensure the website is legit?
You mentioned not to use the master account key, can you explain that in layman's terms so that novice users will under stand it better?
Yeah, I'm not buying it either. The question I have is why Steemit.com hasn't shut that account down. Why leave the guy alone? Are they just trying to be nice? Who is behind it? Am I wrong to think the account should be shut down?
I think that because of what steemit is, is why they do not shut down accounts.
There simply are no official rules. Also in the FAQ it reminds people that:
I know with the normal safety that people expect for others taking care of us that this seems strange, but steemit really does mean that people need to own their mistakes and their actions. This in not Las Vegas where what happens there stays there. This is steemit, and it is open for the world to see, your actions good or bad.
Thanks for your suggestions here. Sorry for my slow response to them. All great questions... and I will do my best to re-open the dialogue which as been silent for a week now.
If not, don't feel compelled to do so on my behalf. I doubt they would answer those questions.
Wow the openness of this blows my mind...
Thanks for the heads up
Very useful post, thank you for valuable information
very useful information for someone like me who is new on this platform.
That is awesome that you managed to get it back. I knew it wasn't you.
Wow! What a lesson for all of us! Thank you!
I am so happy you are back on track ...thanks for all this info very handy and good to know because you never know it's a tough world out there and some just like to take it the easy way :)
Very useful post,
When you change your password, do you also get new passwords for posting active, owner, and memo?
It's really great you got the account back, Sam!
Thanks for sharing this useful information. I will do the same change my password frequently and use active key to transfer fund.
Hahahahahah! This is like a new genre of soap opera, where hackers and their victims engage in intrigues combined with philosophical intercourse, with the goal of establishing higher levels of interpersonal harmony... Hahahah! We need to pitch this to the Hollywood "Reality TV" crowd... Hahahah!
Wow great to know that you have recovered your account. I feel people should understand the importance of their owner key. It is very valuable asset so give value to it. I have seen so many people are getting hacked, people should be more cautious now.
sounds like a good reason why steemit should get 2fa ,
This post is very useful for everyone to get warned and take steps to get protected... Thanks
I learned a lot from you, thank you
When I spin, @samstonehill, I always spin in your favour! I also remember every single time you fed me. You started feeding me 8 days ago and fed me 1 STEEM in total.Thank you for being good to me and helping me become stronger! Our common cause will help many people.
I will now also call in my friend @OriginalWorks who will check the originality of your post and upvote as well!
Yours, Spinny
I like very much when everyone who feeds me also reads my friend’s posts, so please visit @uwelang and read what he has to say! Your name will also appear here. :-) Join my Discord server if you want to meet others: https://discord.gg/Mz2EZP3
The @OriginalWorks bot has determined this post by @samstonehill to be original material and upvoted it!
To call @OriginalWorks, simply reply to any post with @originalworks or !originalworks in your message!
To enter this post into the daily RESTEEM contest, upvote this comment! The user with the most upvotes on their @OriginalWorks comment will win!
For more information, Click Here!
Special thanks to @reggaemuffin for being a supporter! Vote him as a witness to help make Steemit a better place!
Glad u got ur account back or maybe the hacker is just poretending he gave it back? lol
hah no i knopw its you now and im GLAD the recovery process worked even tho u signed up very early when they had different instructions about using throwaway email i guess, now they dont tell u to change email so yeah, anyway,
i cant BELIEVE you fell for that trick! How could you just give your master key to some random website you got in a message?? did you even check the name of the account who sent you that message?? lol And being tired cannot be an excuse man!
And anyway, so how much have you raised for solar products? You know they shipped me my $10 solar chargers FROM malaysia so u should be able tpo get solar chargers cheap there! COst me $25 to send 2 solar chargers tio Ghaa, dunno if they arrived or not yet havent heard from @ortigas100 but @tj4real might be able to tell me if hes heard from him, probobly just in school or work or busy I dunno, but I need to tel u that the best we can do for developing natins peopel is simply get them on steemit and MAYBE if they domt already have smartphones, uy android smartphones, but they need internet smartphoen and solar battery charger and then were good and they can start earning money and theyll need our follows and upvotes but like Stemit Africa team ghana, the steemit users are REALLy getting popular and TJ4real is like getting several new people a week on bopard to steemit its amazing i kep finding him onboarding sooo many people its inspiring to see him work that hard, and they are all basicaly accumulatinga few steem etre and there, so they will be prepared to mke a lot of money when they steem price goes to the moon...thats why people need their steem,...because its like gaving bitcoin when bitcoin is cheap!
anyway tell these people in Indonesia about steemit! get them all on steemblockchain and help one become a whale! use some money youve raised to simply transfer it over to an Indonesian Steemit user who is hard working who you can power up to becme a whale or dolphin at least! Al they need is a few grand in steempower to create theor own circleof steemit minnows who they can then pay
every region needs its own steemit whale! We need to decentralized not just the witness nodes but the steempower itself! we cannot have the steempower concentrated in the hands of a few western people, we need people in all the developing nations to have some stee,it whales and dolphins!
ANYWAY good post makes me ABUZZ with energy thinking about this stuff! makes me feel good that u got ur account back before the first power down was even finished! Great so awesome! ANOTHER great reason to hold ALL your steem in Steem POWER so hackers cannot get a DIME unless they can stay in there for over a week! So keep ALL ur steem as steempower everyone!
Time Locks for crypto currency wallets are the future and steemit LEADS the way!
So wonderful that you've recovered your account. I am sure this stressful experience will help others avoid this in future.
I would say: "Will the real @samstonehill please stand up?" But it looks like he already has. Best wishes Bro!
source
Really an eye opener post :)
I am happy to see that you got your account back!
Namaste
Great you back and fended off these crooks. Also great your sharing the story to help others. Hope you didn't loose too much and can gain back some of you loses. All the best my friend :)